Risk Assessments: What You Need to Know


By Jason Riddle, LBMC Managed Security Services

An information security risk assessment (sometimes called a risk analysis) is one of the most powerful steps an organization can take to understand its security needs, helping protect the reputation and stability of a business as well as the privacy of its employees and customers.

By having a qualified third-party security expert perform an assessment of your organization’s specific risks, you can identify the serious consequences that are likeliest to bear on your business – and the measures you may need to implement to mitigate this risk.

So how exactly does a risk assessment work? When should you have one performed, and how do you ensure that your assessment covers all your bases?

Every organization should have a risk assessment performed annually. You should also conduct an assessment after any significant change in a technology or business process. If you started using a cloud provider for a major business function, for example, or changed one of the core technologies running your systems, these would be good times to evaluate how your risk has changed.

Risk Assessment Methodologies

An effective assessment begins with a strong methodology. There are three widely recognized approaches to information risk assessment, and the key is to find the one that aligns with your organization’s needs. Those three methodologies include:

  • Guidance from the National Institute of Standards and Technology (NIST). This special publication series (which can be found by its designation NIST SP-800-30) represents a risk assessment methodology from the U.S. federal government.
  • Factor Analysis of Information Risk (FAIR). This industry-driven methodology has gained a lot of traction over the last five years. While many people perform qualitative analyses, rating risk as high, medium, or low, FAIR enables a more quantitative approach and helps count potential losses in a defensible way.
  • OCTAVE. The OCTAVE methodology is an established and widely-used approach developed and overseen by the CERT Division of the Carnegie Mellon University Software Engineering Institute.

Finding a Risk Assessment Partner

Once you’ve selected a methodology, it’s important to find the right third-party partner. This decision is the real key to ensuring that your risk assessment is thorough. You will want to work with someone who truly understands the process, having them walk through one of the three methodological procedures above with respect to your sensitive assets.

This data might be intellectual property, personally identifiable information or credit card data. In any case, a risk assessment will identify the sensitive information in your possession and where it is stored, and then determine your organization’s risks. The assessment will determine how likely attacks and other security incidents are to occur as well as the likely impact.

These determinations will help show you the level of risk you face, and this is the key piece of information for your organization.

The nature of your specific work and industry will tend to mean that you need to prioritize certain security controls over others. This is crucial knowledge for any business, highlighting the most clear and present dangers that really can impact your organization. A good risk assessment will also provide a clear, specific and grounded plan of action. Instead of throwing a lot of security ideas and measures against the wall to see what sticks, your security strategy will be demonstrably based on your organization’s needs.

Good security is a crucial investment, helping to protect not only your valuable data, but also your reputation and your clients’ or customers’ trust. By informing and improving your security with a risk assessment, you can help drive your organization toward greater responsibility and success.

Jason Riddle is Practice Leader at LBMC Managed Security Services where he helps defend his clients’ networks. He has over 15 years of experience working both as a consultant, advising commercial and government clients, and as a corporate information security officer for a financial services organization. His core areas of expertise are technology infrastructure, security and compliance, electronic payments, and developing processes to defend networks and systems against today’s advanced threats.